E-Commerce Law Week, Issue 513

Court Underscores Importance of Clear, Consistent Company Policies on Monitoring

The Ninth Circuit ruled last month in Quon v. Arch Wireless Operating Co. that a police department had violated the Fourth Amendment rights of one of its employees when it reviewed the content of text messages that he had sent using his department-issued pager.  The court's ruling was based in part on its finding that the department's informal policy of not auditing text message contents gave the employee a reasonable expectation of privacy in his messages -- despite the fact that the department had also informed its employees that it had the right to monitor pager messages under its computer use policy.  But some of the court's opinion also suggests that the formal computer use policy, if not undermined by the informal policy, would have deprived the employee of a reasonable expectation of privacy.  The court also found that the provider of the pager service had violated the Stored Communications Act (SCA) by turning the messages over to the department, since it did not have the consent of the messages' senders or recipients. 

Connecticut Requires New Privacy Protections for Personal Data

Forty-four states now require companies to notify affected individuals in the event of a data security breach, but few directly require companies to take steps to protect data or to publish a privacy policy.  Connecticut recently decided to do both.  Effective October 1, 2008, a new state law requires “[a]ny person in possession of personal information of another person [to] safeguard” the information “from misuse by third parties” and to “destroy, erase or make [it] unreadable … prior to disposal.”  The law also requires “[a]ny person who collects Social Security numbers in the course of business [to] create a privacy protection policy which shall be published or publicly displayed.”  The policy shall (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.  Though the law lacks specificity, it could prompt a second wave of state security legislation that requires substantive security measures rather than simply notification of breaches.

UK Financial Regulator and OECD Take Tougher Line on Data Security

Two recent developments could portend increased liability for international businesses with inadequate data security practices.  On June 13, the UK's Financial Services Authority (FSA) fined a stock-broking firm £77,000 for failing to take "reasonable care" to protect customer information from "theft, loss or unauthorised alteration" -- even though the FSA found no evidence that any customer information had actually been compromised.  This marks the first time that the FSA has fined a company for weak data security absent evidence of a breach.  Meanwhile, in an annex to a report released in June, the Organization for Economic Co-operation and Development urged member countries to "initiat[e] investigations and enforcement actions against entities that violate the laws governing data security" where "appropriate."

Swedish Parliament Passes Sweeping Surveillance Law

While U.S. lawmakers continue to debate a controversial amendment to the Foreign Intelligence Surveillance Act, an equally contentious piece of spying legislation cleared the Swedish Parliament.  The law, which was approved by the Riksdag by a slim margin on June 18, will give Sweden's National Defence Radio Establishment (FRA) the right to monitor international phone calls, Internet communications, e-mails and faxes for sensitive keywords without a court order.  (Currently, email and phone surveillance in Sweden requires a court order, but monitoring of radio and satellite signals does not.)  The FRA's new powers will be subject to oversight by independent institutions and Parliament, and an annex to the law designed to safeguard individual rights will be voted on this fall.  Assuming it survives any legal challenge, Sweden's new spying law will take effect January 1, 2009.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.